Auto-Complete has always given me a slight worry over the years but I have still used it to complete those tedious forms when purchasing goods online as I am sure many people have.
But confirming this worry Jeremiah Grossman of White Hat Security has explained to The Register that users who allow their browsers to auto-complete frequently used form fields, such as names or email addresses, may become an easy target for data thieves.
To collect the data a simple website can be constructed with a form with various input fields with typical labels: name, email address or credit card number.
A script is then created which tries out all possible first letters in these fields. This triggers the auto-complete feature which kicks in once the first character has been entered. If the browser auto-completes the letter to make a word, the script processes the entered value. All taking place invisibly behind the scenes of the site form.
Currently the process effects a number of browsers including via JavaScript in Safari 4 and 5 and a similar method can be used in versions 6 and 7 of Microsoft Internet Explorer.
Jeremiah has informed Apple of the security but as yet has now received a reply.
Via Heise Security
